Xpra: Ticket #1791: ldap authentication
Sat, 24 Mar 2018 15:50:53 GMT - Antoine Martin: status changed
- status
changed from new to assigned
Done:
ldap
authentication module added in r18827 using python-ldap
- macos modules added in r18828 + r18829
- win32 packaging in r18830
- Active Directory compatibility improvements in r18831
- environment variables for tuning and debugging: r18832, r18833
- support TLS connections to the LDAP server: r18834
- option to specify the CACERT file (for using self signed certs) and change the password encoding (which defaults to "utf-8" - spec says "utf-8" but MS AD servers may require "utf-16-le" to support special characters): r18835
Usage example:
xpra start --bind-tcp=0.0.0.0:10000 -d auth \
"--tcp-auth=ldap,host=ldaphostname,port=389,username_format=cn=%username, o=%domain"
Details on the settings, which are all optional:
- "host" defaults to "localhost"
- "port" defaults to 389
- "tls" defaults to 0 (false)
- "cacert" defaults to no value
- "encoding" defaults to "utf-8"
- "username_format": the special strings "%username" and "%domain" will be substituted at runtime. The username is specified by the client. The domain value is taken obtained using socket.getfqdn and removing the hostname part (keeping everything after the first dot).
According to this very helpful blog post: Python LDAP authentication with Microsoft Active Directory, the username_format
for AD is just "%username@%domain
". That's assuming that the server's domain name is set correctly too, otherwise replace %domain
with the desired value.
See also: Configuring and securing PYTHON LDAP Applications
Sun, 25 Mar 2018 13:56:41 GMT - Antoine Martin: owner, status changed
- owner
changed from Antoine Martin to J. Max Mena
- status
changed from assigned to new
Another ldap backend, this time using the ldap3 python library. This one may be easier to use against AD servers, the username takes the form: "DOMAIN\username".
- r18843: add "ldap3" authentication module, man page update, etc
- r18844: macos moduleset changes
- r18845 + r18846: debug logging tweaks
- r19030: optional "recommends" rpm dependency
It uses the same options as the "ldap" authentication module: "host", "port", "tls", "cacert", but not "encoding". And also some new options:
- "authentication" defaults to "NTLM", the other options are: "SIMPLE" and "SASL" (should not be used)
- "ssl-version" defaults to "TLSv1" (see python ssl: socket creation for more details.
- "ssl-validate" defaults to "REQUIRED", other options: "OPTIONAL" and "NONE".
Usage example:
xpra start --bind-tcp=0.0.0.0:10000 -d auth \
--tcp-auth=ldap3,host=localhost,port=389
@maxmylyn: please test both backends against ldap and AD servers.
Fri, 01 Jun 2018 11:46:43 GMT - Antoine Martin: status changed; resolution set
- status
changed from new to closed
- resolution
set to worksforme
Sat, 23 Jan 2021 05:33:53 GMT - migration script:
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1791